People reported that they can not do a poweroff nor a
suspend to ram on their Mac Pro 11. After some investigations
it was found that, once the PCI bridge 0000:00:1c.0 reassigns its
mm windows to ([mem 0x7fa00000-0x7fbfffff] and
[mem 0x7fc00000-0x7fdfffff 64bit pref]), the region of ACPI
io resource 0x1804 becomes unaccessible immediately, where the
ACPI Sleep register is located, as a result neither poweroff(S5)
nor suspend to ram(S3) works.
As suggested by Bjorn, further testing shows that, there is an
unreported device may be (using) conflict with above aperture,
which brings unpredictable result such as the failure of accessing
the io port, which blocks the poweroff(S5). Besides if we reassign
the memory aperture to the other place, the poweroff works again.
As we do not find any resource declared in _CRS which contain above
memory aperture, and Mac OS does not use this pci bridge neither, we
choose a simple workaround to clear the hotplug flag(suggested by
Yinghai Lu), thus do not allocate any resource for this pci bridge,
and thereby no conflict anymore.
Yue Cao claims that current host rate limiting of challenge ACKS
(RFC 5961) could leak enough information to allow a patient attacker
to hijack TCP sessions. He will soon provide details in an academic
paper.
This patch increases the default limit from 100 to 1000, and adds
some randomization so that the attacker can no longer hijack
sessions without spending a considerable amount of probes.
Based on initial analysis and patch from Linus.
Note that we also have per socket rate limiting, so it is tempting
to remove the host limit in the future.
v2: randomize the count of challenge acks per second, not the period.
Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2")
Reported-by: Yue Cao <email address hidden>
Signed-off-by: Eric Dumazet <email address hidden>
Suggested-by: Linus Torvalds <email address hidden>
Cc: Yuchung Cheng <email address hidden>
Cc: Neal Cardwell <email address hidden>
Acked-by: Neal Cardwell <email address hidden>
Acked-by: Yuchung Cheng <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
[bwh: Backported to 3.2:
- Adjust context
- Use ACCESS_ONCE() instead of {READ,WRITE}_ONCE()
- Open-code prandom_u32_max()]
Signed-off-by: Ben Hutchings <email address hidden>
CVE-2016-5696
[smb: Picked from ff13c4bb5dfe5cd1bd75e2720d1f0aa2e6e81246 bwh-queue]
Signed-off-by: Stefan Bader <email address hidden>
Acked-by: Christopher Arges <email address hidden>
Acked-by: Kamal Mostafa <email address hidden>
Acked-by: Luis Henriques <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands
This patch validates the num_values parameter from userland during the
HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
leading to a heap overflow.
Cc: <email address hidden>
Signed-off-by: Scott Bauer <email address hidden>
Signed-off-by: Jiri Kosina <email address hidden>
(cherry picked from commit 93a2001bdfd5376c3dc2158653034c20392d15c5)
CVE-2016-5829
Signed-off-by: Luis Henriques <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Kamal Mostafa <email address hidden>